Extending Cloudflare To 65,533 More Ports

Today we are introducing Spectrum, which brings Cloudflare’s security and acceleration to the whole spectrum of TCP ports and protocols for our Enterprise customers. It’s DDoS protection for any box, container or VM that connects to the internet; whether it runs email, file transfer or a custom protocol, it can now get the full benefits of Cloudflare. If you want to skip ahead and see it in action, you can scroll to the video demo at the bottom.

DDoS Protection

The core functionality of Spectrum is its ability to block large DDoS attacks. Spectrum benefits from Cloudflare’s existing DDoS mitigation (which this week blocked a 900 Gbps flood). Spectrum’s DDoS protection has already been battle tested. Just soon as we opened up Spectrum for beta, Spectrum received its first SYN flood.

One of Spectrum’s earliest deployments was in front of Hypixel’s infrastructure. Hypixel runs the largest minecraft server, and because gamers can be – uh, passionate – they were one of the earliest targets of the terabit-per-second Mirai botnet. “Hypixel was one of the first subjects of the Mirai botnet DDoS attacks and frequently receives large attacks. Before Spectrum, we had to rely on unstable services & techniques that increased latency, worsening user’s experience. Now, we’re able to be continually protected without added latency, which makes it the best option for any latency & uptime sensitive service such as online gaming,” Bruce Blair, the CTO at Hypixel, told us.

Another early team we talked to about Spectrum was the security team at Montecito Bank. As a financial institution, they have a highly technical and active security team; they were also one of the first customers to use Cloudflare’s DNSSEC when it was brand new. Paul Abramson, Montecito Bank’s Director of Technology told us, “We were looking for a security solution to protect additional services like email and SSH so that if we are subject to attack, our operations can continue to run reliably and securely.”

TLS Support

Security and encryption go hand in hand. With Spectrum, you can terminate TLS at Cloudflare’s edge. The main benefit of TLS termination at the edge is that is speeds up performance (there’s less distance to travel for the three round trips of the TLS handshake).

We think the most interesting outcome is that just by adding support for TLS in the client, Cloudflare can now add encryption to legacy protocols and services that don’t traditionally support encrypted transit.

Firewall

Spectrum integrates with Cloudflare’s IP Firewall so that you can choose which connections should be forwarded to your servers and which should be blocked at Cloudflare’s edge.

This can be managed via API too, so you can write scripts that allow and deny access on the fly.

Demo

Many TCP load balancers and proxies can be cumbersome to set up, but Spectrum takes a few clicks. Tito Esterline on our team recorded a demo you can watch below. My suggestion is to play it with audio so you can hear the play by play.

Get In Touch

Why just Enterprise? While HTTP can use the Host header to identify services, TCP relies on each service having a unique IP address in order to identify it. Since IPv4 addresses are endangered, it’s quite expensive for us to delegate an IP per application and we needed to limit use. We’re actively thinking about ways to bring Spectrum to everyone. One idea is to offer IPv6-only Spectrum to non-Enterprise customers. Another idea is let anyone use Spectrum but pay for the IPv4 address. We’re not sure yet, but if you prefer one to the other, feel free to comment and let us know.

Oh and P.S. If you want to read about how Spectrum works, Marek wrote a great blog post about the Linux behavior that let us build it.